AnsweredAssumed Answered

Two-Factor for an AD Identity System with Linux Endpoints

Question asked by James Dafferner on Jul 18, 2017
Latest reply on Jul 18, 2017 by Piers Bowness



In the interest of full disclosure I'm an RSA newbie and have been working with AM 8.2 for the last four to five months, that said.


I have a lab situation that I'm testing and would like to find out if AM 8.2 can be used in the following way.  


I have an Active Directory (2012 R2) server that is providing Identities (Users/Groups) to my RSA 250s that are in a Primary/Replica deployment.  I have a third party providing DNS and DHCP services we are using an external NTP as well. The network we are testing on is a simple switch as the purpose for this lab is to test configurations before adding layers of security and other services on top of it.   The target system in this lab is a Linux based system it has two servers these servers pull identities (Users/Groups) from Active Directory.  The Linux Servers provide what amounts to an image to a zero client, this is Linux based but restricted to an interface for the application on the Linux Server.    The server pushes the image (Linux based) to the zero client via TFTP once the image is sent the client joins the domain.  As it stands right now, I don't have any of the Zero Client computers in Active Directory but they can be added if needed.


I am using the RSA Authentication Agent for Windows v7.33 and have a Standard Agent (RSA Native) issued between my SecurID deployment and my Active Directory deployment.  I'm using SID 700 tokens and all test authentications work with my AD Identities and groups that have been imported and issued tokens.  After tuning the RSA Agent for Windows v7.33 GPO's have been my Users can authenticate on a Windows 10 client attached to the domain for testing.


So here is the crux of the problem.  My Linux boot image only has a Username/Password field and in addition to that I cannot add any software to either the Linux servers or clients as this would break the warranty/security accreditation of the system.  What I want to do is add a simple two-factor verification for users of the system as they log on to the Linux client, as it stands right now I can extend two factor to any Windows User logging on to a Windows machine, which is great but not necessarily the ultimate goal.  I feel IF I could use the RSA PAM for Linux/Unix I could do this easily but since I cannot modify any elements in the Linux deployment this is impossible for me to use.


I have attached a small png of the system where items in Red are not able to have any software loaded on them.


I appreciate any advice that can further my understanding of Authentication Manager.